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OES 2 SP3: Open WBEM Services Administration Guide 


About This Guide 


This guide gives an overview of Open WBEM services and Common Information Model (CIM) 
technologies included with Novell Open Enterprise Server (OES) 2 and how they relate. It also 
describes how to implement these services in your network and configure the OpenWBEM Common 
Information Model Object Manager (CIMOM) on an Open Enterprise Server running SUSE Linux. 


This guide is divided into the following sections: 
+ Chapter 1, “Overview,” on page 7 
+ Chapter 2, “What's New for OpenWBEM,” on page 9 
+ Chapter 3, “Migrating OpenWBEM from NetWare to OES 2 Linux,” on page 11 
+ Chapter 4, “Running OpenWBEM in a Virtualized Environment,” on page 13 
+ Chapter 5, “Setting Up Open WBEM,” on page 15 
+ Chapter 6, “Changing the OpenWBEM CIMOM Configuration,” on page 19 
+ Chapter 7, “Security Considerations,” on page 35 


Audience 


This guide is intended for network administrators. 


Feedback 


We want to hear your comments and suggestions about this manual and the other documentation 
included with this product. Please use the User Comments feature at the bottom of each page of the 
online documentation, or go to www.novell.com/documentation/feedback.html and enter your 
comments there. 


Documentation Updates 


For the most recent version of the OES 2: OpenWBEM Services Administration Guide, see the Open 
Enterprise Server online documentation (http://www.novell.com/documentation/oes2/cimom/data/ 
front.html#bktitle). 


Additional Documentation 


For more in-depth information about the Distributed Management Task Force (DMTF) and its 
standards, see the DMTF Web site (http://www.dmtf.org/home). 


For more information on the open source project OpenWBEM, see the OpenWBEM Web site (http:// 
openwbem.org). 
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Overview 


Novell Open Enterprise Server (OES) 2 has embraced the open standard strategies of Web-Based 
Enterprise Management (WBEM) proposed by the Distributed Management Task Force (DMTF) 
(http://www.dmtf.org/home). Implementing these strategies can substantially reduce the level of 
complexity associated with managing disparate systems in your network. 


The following information describes a few of the components proposed by the DMTF standards. 
Understanding what these are and how they relate to each other can help you understand what 
OpenWBEM is and how you most effectively use it in your network. 


+ Web-Based Enterprise Management (WBEM) is a set of management and Internet standard 
technologies developed to unify the management of enterprise computing environments. 
WBEM provides the ability for the industry to deliver a well integrated set of standards-based 


management tools leveraging the emerging Web technologies. The DMTF has developed a core 


set of standards that make up WBEM: 
+ A data model: the Common Information Model (CIM) standard 
+ An encoding specification: CIM-XML Encoding Specification 
¢ A transport mechanism: CIM Operations over HTTP 


+ The Common Information Model (CIM) is a conceptual information model for describing 


management that is not bound to a particular implementation. This allows for the interchange of 


management information between management systems and applications. This can be either 


agent-to-manager or manager-to-manager communications that provide for distributed system 


management. There are two parts to CIM: the CIM Specification and the CIM Schema. 


The CIM Specification describes the language, naming, and meta schema. The meta schema is a 


formal definition of the model. It defines the terms used to express the model and their usage 


and semantics. The elements of the meta schema are Classes, Properties, and Methods. The meta 
schema also supports Indications and Associations as types of Classes, and References as types 


of Properties. 


The CIM Schema provides the actual model descriptions. The CIM Schema supplies a set of 


classes with properties and associations that provide a well understood conceptual framework 


within which it is possible to organize the available information about the managed 
environment. 


+ The Common Information Model Object Manager (CIMOM) is a CIM object manager or, more 


specifically, an application that manages objects according to the CIM standard. 


+ CIMOM providers are software that performs specific tasks within the CIMOM that are 
requested by client applications. Each provider instruments one or more aspects of the 
CIMOM's schema. 


Open Enterprise Server contains the CIMOM from the OpenWBEM project (http://openwbem.org). 


The packages contained in the Web-based Enterprise Management pattern in the Primary Functions 


category (on Linux) or the OWCIMOMD include a set of basic Novell providers, including some 
sample providers, and a base set of accompanying Novell schemas. 


Overview 


As Novell moves forward with OpenWBEM and development of specific providers, it will provide 
tools that offer the following important features: 


+ Efficient monitoring of network systems 
+ Recording of alterations within existing management configurations 


+ Hardware inventory and asset management 


Understanding how the OpenWBEM CIMOM is set up and how to configure it can help you monitor 
and manage disparate system in your network with more confidence and ease. 


1.1 What's Next 


For information about the tasks you might want to perform, see the following table. 


Table 1-1 Information Index 


Task See 

Learn about coexistence and migration issues. “Migrating OpenWBEM from NetWare to OES 2 Linux” 
on page 11 

Setting Up OpenWBEM “Setting Up OpenWBEM” on page 15 

Learning about virtualization differences “Running OpenWBEM in a Virtualized Environment” 
on page 13 

Configuring OpenWBEM “Changing the OpenWBEM CIMOM Configuration” on 
page 19 

Ensure the server and data are secure “Security Considerations” on page 35 
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2.1 


2.2 


2.2.1 


What's New for Open WBEM 


The features and capabilities in this section were added for OpenWBEM since the initial release of 
Novell Open Enterprise Server 2. 


+ Section 2.1, “What's New (April 2013 Patches)” on page 9 

+ Section 2.2, “What's New (January 2013 Patches)” on page 9 
+ Section 2.3, “OES 2 SP3,” on page 10 

+ Section 2.4, “OES 2 SP2,” on page 10 

+ Section 2.5, “OES 2 SP1,” on page 10 

+ Section 2.6, “OES 2,” on page 10 


What's New (April 2013 Patches) 


The April 2013 Scheduled Maintenance for OES 2 SP3 includes a channel upgrade to Novell 
eDirectory 8.8 SP7. For information, see TID 7011599 (http://www.novell.com/support/kb/ 
doc.php?id=7011599) in the Novell Knowledgebase. 


What's New (January 2013 Patches) 


+ Section 2.2.1, “Upgrade to Novell iManager 2.7.6,” on page 9 
+ Section 2.2.2, “Novell Client Support for Windows 8 and Server 2012,” on page 10 


Upgrade to Novell iManager 2.7.6 


The January 2013 Scheduled Maintenance for OES 2 SP3 includes a channel upgrade from Novell 
iManager 2.7.4 to Novell iManager 2.7.6. 


Novell iManager 2.7.6 provides the following enhancements: 


+ Microsoft Internet Explorer 10 certification on Windows 8 (excluding Windows 8 RT) and 
Windows Server 2012. iManager 2.7.6 does not support the Metro user interface view for 
Internet Explorer 10. 


+ Apple Safari 6.0 certification on Mac OSX Mountain Lion (version 10.8). 
+ ¡Manager Workstation certification on Windows 8 Enterprise Edition (32-bit and 64-bit). 
+ Manager 2.7.6 support for Tomcat 7.0.32. and Java 1.7.0_04 versions. 


iManager documentation links in this guide have been updated to reflect this change. 


iManager 2.7.6 documentation is available on the Web (https://www.netig.com/documentation/ 
imanager/). For earlier ¡Manager versions, see “Previous Releases” (https://www.netiq.com/ 
documentation/imanager27/#prev). 
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2.2.2 


2.3 


2.4 


2.5 


2.6 


Novell Client Support for Windows 8 and Server 2012 


The January 2013 Scheduled Maintenance for OES 2 SP3 announces the availability of Novell Client 2 
SP3 for Windows with support for: 


+ Windows 8 (32-bit and 64-bit) excluding Windows 8 RT 
+ Windows Server 2012 (64-bit) 


Novell Client 2 documentation links in this guide have been updated to reflect the release of SP3. 


Novell Client 2 SP3 for Windows documentation is available on the Web (http://www.novell.com/ 
documentation/windows_client/). Documentation for earlier versions is available under Previous 
Releases (http://www.novell.com/documentation/windows_client/#previous). 


OES 2 SP3 


There are no changes to Open WBEM for OES 2 SP3. 


OES 2 SP2 


There are no changes to OpenWBEM for OES 2 SP2. 


OES 2 SP1 


There are no changes to OpenWBEM for OES 2 SP1. 


OES 2 


OpenWBEM in Open Enterprise Server 2 includes the following features that were not in the initial 
release of OES 1: 


¢ For OES 2 Linux, OpenWBEM software packages are distributed by the SUSE Linux Enterprise 
Server 10 software rather than added on by the OES software. 


+ The version of OpenWBEM for Linux is version 3.2. 
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Migrating OpenWBEM from NetWare to 
OES 2 Linux 


The section contains the following information: 


+ Section 3.1, “Coexistence,” on page 11 


+ Section 3.2, “Migration,” on page 12 


3.1 Coexistence 


This section provides information regarding the compatibility and coexistence of OpenWBEM 
Services with existing networks containing OES 2 NetWare or Linux platforms. 


3.11 Compatibility 


The following table summarizes the compatibility of Open WBEM Services with various operating 
systems: 


Table 3-1 Compatibility of OES Services using OpenWBEM Services on Various Versions of Operating Systems 


Operating System Compatible Versions Version of OpenWBEM 
NetWare OES 2 on NetWare 3.1 
NetWare OES 1 on NetWare 3.1 
NetWare NetWare 6.5 SP3 or later 3.1 
Linux OES 2 on Linux 3.2 
Linux OES 1 on Linux 3.1 
Linux SUSE Linux Enterprise Server 9 SP1 and 3.1 
later 
Linux SUSE Linux Enterprise Server 10 and 3.2 
later 


3.1.2 Coexistence Issues 


Unknown. 
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3.2 Migration 


When you migrate different OES 1 services from NetWare to OES 2 Linux, the services should 
automatically convert their use of OpenWBEM on NetWare version 3.1 to OpenWBEM on OES 2 
Linux. You do not need to take any manual steps to make this conversion. 


If you have modified the openwbem. conf file for your NetWare environment, you might want to 
make the same type of changes in the openwbem.conf file on Linux. 


On OES Linux, the openwbem.conf file is the same name as it is for NetWare but file locations and 
settings are different, so you cannot copy the file directly from NetWare to an OES Linux server. The 
concepts are the same, so you can use the information from the NetWare openwbem. conf file to guide 
you in setting up the configuration on OES Linux. For all differences, see “Changing the OpenWBEM 
CIMOM Configuration” on page 19. 
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Running OpenWBEM in a Virtualized 
Environment 


OpenWBEM runs in a virtualized environment just as it does on a physical server running OES 2 
Linux and requires no special configuration or other changes. 


To get started with virtualization, see “Introduction to Xen Virtualization” (http://www.novell.com/ 
documentation/sles10/book_virtualization_xen/data/sec_xen_basics.html) in the Virtualization with 
Xen (http://www.novell.com/documentation/sles10/book_virtualization_xen/data/ 
book_virtualization_xen.html) guide. 


For information on setting up virtualized OES 2 Linux, see “Installing, Upgrading, or Updating OES 
on a Xen-based VM” in the OES 2 SP3: Installation Guide guide. 


Running OpenWBEM in a Virtualized Environment 
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5.1 


5.2 


5.3 


Setting Up OpenWBEM 


This section includes the following information: 


+ Section 5.1, “Installing OpenWBEM,” on page 15 

+ Section 5.2, “LUM-Enabling Open WBEM During OES 2 Linux Installation,” on page 15 
+ Section 5.3, “Starting, Stopping, or Checking Status for OWCIMOMD,” on page 15 

¢ Section 5.4, “Ensuring Secure Access,” on page 16 


+ Section 5.5, “Setting Up Logging,” on page 18 


Installing OpenWBEM 


When you install any component of OES 2 on Linux that is dependent on OpenWBEM packages, the 
OpenWBEM packages are installed automatically. 


If you want to install only OpenWBEM, you only need to select the Web-Based Enterprise Management 
pattern from the Primary Functions category of the Software Selection page. 


LUM-Enabling OpenWBEM During OES 2 Linux Installation 


During the installation of OES 2 Linux or when adding OES 2 Linux on an existing server, ensure that 
you LUM-enable OpenWBEM when you are configuring LUM. This is the default setting. 


If OpenWBEM is not LUM-enabled, the following services might not work as designed on an OES 2 
Linux server: 

+ Novell iPrint 

+ Novell Remote Manager (NRM) 

+ Novell Samba 

+ Novell Storage Services (NSS) 

+ Storage Management Services (SMS) 


Starting, Stopping, or Checking Status for OWCIMOMD 


When OpenWBEM is installed, it installs and starts the OpenWBEM cimom daemon (OWCIMOMD) by 
default on OES on Linux. Information in the following table explains how to start, stop, and check 
status for OWCIMOMD. 
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5.4 


5.4.1 


5.4.2 


Table 5-1 Commands for Managing OWCIMOMD 


Task Linux Command 

Start OWCIMOMD As root in a console shell, enter rcowcimomd 
start. 

Stop OWCIMOMD As root in a console shell, enter rcowcimomd stop. 

Check OWCIMOMD status AS root in a console shell, enter rcowcimomd 
status. 


Ensuring Secure Access 


The default setup of Open WBEM is relatively secure. However, you might want to review the 
following to ensure access to OpenWBEM components is as secure as desired for your organization. 


+ Section 5.4.1, “Certificates,” on page 16 
+ Section 5.4.2, “Ports,” on page 16 
+ Section 5.4.3, “Authentication,” on page 17 


Certificates 


Secure Socket Layers (SSL) transports require a certificate for secure communications to occur. When 
OES is installed, OpenWBEM has a self-signed certificate generated for it. 


If desired, you can replace the path for the default certificate with a path to a commercial certificate 
that you have purchased or with a different certificate that you have generated in the 
http_server.SSL cert = path _ filename setting in the openwbem. conf file. 


The default generated certificate is in the following location: 
/etc/openwbem/servercert.pem 


If you want to generate a new certificate, use the following command. Running this commad replaces 
the current certificate, so Novell recommends making a copy of the old certificate before generating a 
new one. 


1 As root in a console shell, enter sh /etc/openwbem/owgencert. 


If you want to change the certificate that OpenWBEM uses, see “Changing the Certificate 
Configuration” on page 24. 


Ports 


OpenWBEM is configured by default to accept all communications through a secure port, 5989. 
Information in the following table explains the port communication setup and recommended 
configuration. 
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5.4.3 


Table 5-2 Port Communication Setup and Recommended Configurations 


Port 


5989 


Type Notes and Recommendations 


Secure The secure port that OpenWBEM communications use via HTTPS services. 
This is the default configuration. 


With this setting, all communications between the CIMOM and client applications are 
encrypted when sent over the Internet between servers and workstations. Users must 
authenticate through the client application to view this information. 


Novell recommends that you maintain this setting in the configuration file. 


In order for the OpenWBEM CIMOM to communicate with the necessary applications, 
this port must be open in routers and firewalls if they are present between the client 
application (¡Manager plug-in) and the nodes being monitored. 


5988 


Non-secure The non-secure port that OpenWBEM communications use via HTTP services. 
This setting is disabled by default. 


With this setting, all communications between the CIMOM and client applications are 
open for review when sent over the Internet between servers and workstations by 
anyone without any authentication. 


Novell recommends that you use this setting only when attempting to debug a problem 


with the CIMOM. As soon as the problem is resolved, set this back to the secure port, 
5989. 


In order for the OpenWBEM CIMOM to communicate with the necessary applications, 
this port must be open in routers and firewalls if they are present between the client 
application (¡Manager plug-in) and the nodes being monitored. 


If you want to change the default port assignments, see “Changing the Port Configuration” on 
page 25. 


Authentication 


The following authentication settings are set and enabled as the default for each platform for 
OpenWBEM in OES. 


You can change any of the default settings. See “Changing the Authentication Configuration” on 
page 19. 


On Linux, the following settings are default: 


+ 


+ 


+ 


+ 


+ 


+ 


http server.allow local authentication = true 
http server.ssl client verification = disabled 
http _server.use digest = false 

owcimomd.allow anonymous = false 
owcimomd.allowed users = * 


owcimomd.authentication module = /opt/novell/lib/openwbem/authentication/ 
libnovellauthentication.so 


On Linux, the OpenWBEM CIMOM is PAM-enabled; therefore the following can occur: 


+ 


Local users can authenticate to the Open WBEM CIMOM with local user credentials. 
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5.5 


+ If LUM is installed on the server where the OpenWBEM CIMOM is running, then the LUM- 
enabled user can authenticate to the OpenWBEM CIMOM. 


+ Ifa LUM-enabled user has the Supervisor right for the Entry Rights property for the UNIX 
Workstation object that represents the Linux server, the OpenWBEM CIMOM grants that user 
Root privileges to that Linux server. 


Setting Up Logging 
By default, logging for OpenWBEM is set up as follows. 


You can change any of the default settings. For more information, see “Changing the Default Logging 
Configuration” on page 26. 


On Linux, the following settings are default: 


* log.main.components = * 
* log.main.level = ERROR 
* log.main.type = syslog 


This means that OWCIMOMD logging is set up to go to the /var/log/messages file or to other files 
depending on the configuration of syslogd. It logs all errors for all components (OWCIMOMD). 


OES 2 SP3: OpenWBEM Services Administration Guide 


Changing the Open WBEM CIMOM 
Configuration 


When Open WBEM CIMOM (OWCIMOMD) starts, it receives all of its commands for running from 
the openwbem. conf file. The openwbem.conf file is located in the /etc/openwbem/openwbem.conf 
folder. 


Any setting that has the options commented out with a semicolon (;) or pound sign (#) uses the 
default setting. 


When making changes to this file, you can use any text editor that saves the file in a format that is 
native to the platform you are using. 


You can change any of the settings in the openwbem. conf file. This section discusses the following 
configuration settings: 

+ Section 6.1, “Changing the Authentication Configuration,” on page 19 

+ Section 6.2, “Changing the Certificate Configuration,” on page 24 

+ Section 6.3, “Changing the Port Configuration,” on page 25 

+ Section 6.4, “Configuring CIMOM Daemons to Bind to IP Addresses,” on page 26 

+ Section 6.5, “Changing the Default Logging Configuration,” on page 26 

+ Section 6.6, “Configuring Debug Logging,” on page 31 

+ Section 6.7, “Configuring Additional Logs,” on page 32 


Changing the Authentication Configuration 


When changing the Authentication configuration, there are several things that you can control: 


+ Who can access the CIMOM 


+ What authentication module is used 
See the following settings: 


* Section 6.1.1, “http_server.allow_local_authentication,” on page 20 
+ Section 6.1.2, “http_server.digest_password_file,” on page 20 

+ Section 6.1.3, “http_server.ssl_client_verification,” on page 21 

+ Section 6.1.4, “http_server.ssl_trust_store,” on page 21 

+ Section 6.1.5, “http_server.use_digest,” on page 22 

+ Section 6.1.6, “owcimomd.ACL_superuser,” on page 22 

+ Section 6.1.7, “owcimomd.allowed_anonymous,” on page 23 


+ Section 6.1.8, “owcimomd.allowed_users,” on page 23 


Changing the OpenWBEM CIMOM Configuration 


+ Section 6.1.9, “owcimomd.authentication_ module,” on page 24 


+ Section 6.1.10, “simple _auth.password_ file,” on page 24 
6.1.1 http server.allow local_authentication 


Purpose 


Directs the http_server to allow local authentication without supplying a password, relying on local 
system file permissions. 


You can use this setting with the Basic or Digest settings. 


Syntax 


http server.allow local authentication = option 


Option Use 
false Disable local authentication. 
true Enables local authentication. 


This is the default setting for Linux. 


Example 


http server.allow local authentication = true 


6.12 http server.digest_ password file 


Purpose 


Specifies a location for the password file. This is required if the http_server.use_digest setting is 
enabled. 


Syntax 
http server.digest password file = path filename 


The default path and filename for the digest password file is /etc/openwbem/digest_auth.passwd. 


Example 


http server.digest password file = /etc/openwbem/digest_auth.passwd 
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6.1.3 


6.1.4 


http_server.ssi_client_verification 


Purpose 


Determines whether the server should attempt to authenticate clients with SSL Client Certificate 
verification. 


This setting is disabled by default. 


Syntax 


http server.ssl client verification = option 


Option Use 


autoupdate Specifies the same functionality as the Optional option; however, previously unknown client 
certificates that pass HTTP authentication are added to a trust store so that subsequent client 
connections with the same certificate do not require HTTP authentication. 


disabled Disables client certificate checking. 


This is the default setting. 


optional Allows a trusted certificate to be authenticated (no HTTP authentication is necessary). 


Also allows an untrusted certificate to pass the SSL handshake if the client passes the HTTP 
authentication. 


required Requires a trusted certificate for the SSL handshake to succeed. 


Example 


http server.ssl client verification = disabled 


http_server.ssi_trust_store 


Purpose 


Specifies a directory containing the OpenSSL trust store. 


Syntax 
http_server.ssl_trust_store = path 


The default path for the trust store file is /etc/openwbem/truststore. 


Example 


http_server.ssl_trust_store = /etc/openwbem/truststore 
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6.1.5 http server.use digest 


Purpose 


Directs the HTTP server to use Digest authentication, which bypasses the Basic authentication 
mechanism. To use Digest, you must set up the digest password file using owdigestgenpass. 


Digest doesn't use the authentication module specified by the OWCIMOMD.authentication_module 
configuration setting. 


Syntax 


http server.use digest = option 


Option Use 


false Enables the Basic authentication mechanism. 
This is the default for OES 2 Linux. 
true Disables the Basic authentication mechanism. 


This is the default OpenWBEM setting. 


Example 


http server.use digest = false 


6.1.6  owcimomd.ACL_superuser 


Purpose 


Specifies the user name of the user that has access to all Common Information Model (CIM) data in 
all namespaces maintained by the OWCIMOMD. This user can be used to administer the /root / 
security name space, which is where all ACL user rights are stored. 


ACL processing is not enabled until the OpenWBEM_Ac11.0.mof file has been imported. 


Syntax 


owcimomd.ACL superuser = username 


Example 


owcimomd.ACL superuser = root 
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6.1.7 


6.1.8 


owcimomd.allowed_anonymous 


Purpose 


Enables or disables anonymous logins to owmgmt_openwebem_lx_nwd. 


Syntax 


owcimomd.allowed anonymous = option 


Option Use 


false Requires login with a user name and password to access OWCIMOMD data. 


This is the default and recommended setting. 


true Allows anonymous logins to OWCIMOMD. 


This disables authentication. No user name or password is required to access OWCIMOMD data. 


Example 


owcimomd.allowed anonymous = false 
owcimomd.allowed_users 


Purpose 


Specifies a list of users who are allowed to access OWCIMOMD data. 


Syntax 


owcimomd.allowed_users = option 


Option Use 


username Specifies one or more users who are allowed to access the OWCIMOMD data. 


Separate each user name with a space. 


3 Allows all users to authenticate (for example, if you choose to control access with ACLs instead). 


This option is enforced for all authentication methods unless owcimomd.allow_anonymous is set 
to true. 


This is the default setting. 


Example 


owcimomd.allowed users = bcwhitely jkcarey jlanderson 
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6.1.9 


.1.10 


6.2 


owcimomd.authentication module 


Purpose 


Specifies the authentication module that is used by OWCIMOMD. This setting should be an absolute 
path to the shared library containing the authentication module. 


Syntax 
owcimomd.authentication module = path filename 


The following are the default path and filename for the authentication modules: 


Platform File Location 

Linux x86 lasr/1ib/openwbem/authentication/libnovellauthentication.so 
Linux 64 /usr/1ib64/openwbem/authentication/libnovellauthentication.so 
Example 


owcimomd.authentication module = /usr/lib/openwbem/authentication/ 
libnovellauthentication.so 


simple_auth.password_ file 


Purpose 


Specifies the path to the password file when the simple authentication module is used. 


This setting is disabled by default. 


Syntax 


simple auth.password file = path filename 


Example 


simple auth.password file = /etc/openwbem/simple auth.passwd 


Changing the Certificate Configuration 


The http_server.SSL_cert and the http_server.SSL_key settings specify the location of the file or files 
that contains the host's private key and the certificate that is used by OpenSSL for HTTPS 
communications. 


The . pem file is located in the following default locations: 
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Table 6-1 .pem File Locations 


Platform File Location 


Linux /etc/openwbem/servercert .pem 


/etc/openwbem/serverkey.pem 


Syntax 
http server.SSL cert = path filename 
and 


http server.SSL key = path filename 


Example 


http server.SSL cert = /etc/openwbem/servercert.pem 


http server.SSL key = /etc/openwbem/serverkey.pem 


Changing the Port Configuration 


The http_server.http_port and server.https_port settings specify the port number that OWCIMOMD 
listens on for all HTTP and HTTPS communications. 


Syntax 
http server.http port = option 
or 


http server.https port = option 


Option Use 
Specific_port_ number Specify the specific port for HTTP or HTTPS communications. 
For HTTP, the default port is 5988. 


For HTTPS, the default port is 5989. 


-1 Disables HTTP or HTTPS connections (for example, if you only want to support 
HTTPS connections). 


0 Dynamically assigns a port number at run time. 


Example 


These settings disable the HTTP port and enable port 5989 for HTTPS communications: 
http _server.http port = -1 


http _server.https port = 5989 
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6.4 


6.5 


6.5.1 


Configuring CIMOM Daemons to Bind to IP Addresses 


You can configure Open WBEM to bind the CIMOM daemons to all of the IP addresses on a server. 


You can do this by editing the /etc/openwbem/openwbem. conf file. Set the 
http _server.listen addresses parameter of the openwbem. conf file to 0.0.0.0, which is the 
default. The following is the section to change in the openwbem.conf file: 


# http server.listen addresses option specifies the local addresses 
# to listen on. The option is a space delimited list. 

# Each item is either a hostname or an IP address. 

# The value 0.0.0.0 means to listen on all local addresses. 

# This is a multi-valued option. Whitespace is the separator. 

# The default is 0.0.0.0 
http server.listen addresses = 0.0.0.0 


Changing the Default Logging Configuration 


The following log settings in the owcimomd. conf file let you specify where and how much logging 
occurs, the type of errors logged, and the log size, filename, and format: 


+ Section 6.5.1, “log.main.categories,” on page 26 

+ Section 6.5.2, “log.main.components,” on page 27 

+ Section 6.5.3, “log.main.format,” on page 28 

+ Section 6.5.4, “log.main.level,” on page 29 

+ Section 6.5.5, “log.main.location,” on page 30 

+ Section 6.5.6, “log.main.max_backup_index,” on page 30 
+ Section 6.5.7, “log.main.max_file_size,” on page 30 


+ Section 6.5.8, “log.main.type,” on page 31 
If you want to set up debug logging, see Section 6.6, “Configuring Debug Logging,” on page 31. 


If you want to set up additional logs, see Section 6.7, “Configuring Additional Logs,” on page 32. 
log.main.categories 


Purpose 


Specifies the categories the log outputs. 


Syntax 


log.main.categories = option 
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Option Use 


category_name Specifies the categories to be logged using a space delimited list. 
The categories used in OWCIMOMD are: 


+ DEBUG 
* ERROR 
+ FATAL 
+ INFO 


For more information about these options, see “log.main.level” on page 29. 


If specified in this option, the predefined categories are not treated as levels, but as 
independent categories. No default is available; if a category is not set, no 
categories are logged and the log.main.level setting is used. 


= All categories are logged. 


This is the default setting. 


Example 


log.main.categories = FATAL ERROR INFO 
6.5.2 log.main.components 


Purpose 


Specifies the components that the log outputs. 


Syntax 


log.main.components = option 


Option Use 
component_name Specifies the components to be logged (such as OWCIMOMD) using a space- 
-delimited list. 


Providers can use their own components. 


* Specifies that all components are logged. 


This is the default setting. 


Example 


log.main.components = owcimomd nssd 
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6.5.3 


log.main.format 


Purpose 


Specifies the format (text mixed with printf() style conversion specifiers) of the log messages. 


Syntax 


log.main.format = conversion specifier 


Option Specifies 

%% % 

%c Component (such as OWCIMOMD) 
%d Date 


Can be followed by a date format specifier enclosed between braces. For example, 
%d(%H:%M:%S) or %d{%d %b %Y %H:%M:%S}. If no date format specifier is given, then 
ISO 8601 format is assumed. 


The only addition is %Q, which is the number of milliseconds. 


For more information about the date format specifiers, see the documentation for the 
strftime() function found in the <ctime> header. 


%e Message as XML CDATA. This includes the “<![CDATA[* and ending “] ]>” 

%F Filename 

%l Filename and line number. For example, file. cpp(100) 

%L Line number 

%M Method name where the logging request was issued (only works on C++ compilers that 


support _ PRETTY_FUNCTION__ or C99’s _ func__). 


om Message 

“on Platform-dependent line separator character (In) or characters (\r\n). 

%p Category, also known as level or priority. 

%r Number of milliseconds elapsed between the start of the application and the creation of the 


logging event. 


%t Thread ID 
\n New line 
\t Tab 

\r Line feed 
\ \ 


\x<hexDigits> Character represented in hexadecimal 


It is possible to change the minimum field width, the maximum field width, and justification. The 
optional format modifier is placed between the percent sign (%) and the conversion character. The 
first optional format modifier is the left justification flag, which is the minus (-) character. The 
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optional minimum field width modifier follows, which is an integer that represents the minimum 
number of characters to output. If the data item requires fewer characters, it is padded with spaces on 
either the left or the right, according to the justification flag. If the data item is larger than the 
minimum field width, the field is expanded to accommodate the data. 


The maximum field width modifier is designated by a period (.) followed by a decimal constant. If 
the data item is longer than the maximum field, then the extra characters are removed from the 
beginning of the data item (by default) or from the end (if the left justification flag was specified). 


Examples 


Log4j TTCC layout: 

"Sr [%t] %-5p $c - Sm" 

Similar to TTCC but with some fixed-size fields: 
"S-6r [%15.15t] %-5p $30.300 - %m" 


XML output conforming to log4j.dtd 1.2, which can be processed by Chainsaw (if used, this must be 
on one line; it is split up here for readability): 


"<log4j:event logger="%c" timestamp="%d{%s%Q}" level="%p" thread="%t"> 
<log4j :message>%e</log4j:message> <log4j:locationInfo class="" method="" file="SF" 
line="%L"/></log4j:event>" 


The following is the default: 


log.main.format = [%t]%m 
log.main.level 
Purpose 


Specifies the level the log outputs. If set, the log outputs all predefined categories at and above the 
specified level. 


Syntax 


log.main.level = option 


Option Use 
DEBUG Logs all Debug, Info, Error, and Fatal error messages. 
ERROR Logs all Error and Fatal error messages. 


This is the default setting. 


FATAL Logs only Fatal error messages. 
INFO Logs all Info, Error, and Fatal error messages. 
Example 


log.main. level = ERROR 
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6.5.5 


6.5.6 


6.5.7 


log.main.location 


Purpose 


Specifies the location of the log file OWCIMOMD uses when the log.main.type setting option 
specifies that logging is sent to a file. 


Syntax 


log.main.location = path filename 


Example 


log.main.location = /system/cimom/var/owcimomd.log 


log.main.max_backup_index 


Purpose 


Specifies the amount of backup logs that are kept before the oldest is erased. 


Syntax 


log.main.backup_index = option 


Option Use 


unsigned_integer_above_0 Specifies the number of backup logs kept. 


The default setting is 1 log file. 


0 No backup logs are made and the log is truncated when it reaches the 
maximum file size. 


Example 


log.main.max backup index = 1 
log.main.max file_size 


Purpose 


Specifies the maximum size (in KB) that the OWCIMOMD log can grow to. 


Syntax 


log.main.max file size = option 
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6.6 


Option 


unsigned _integer_in_KB 


Use 


Limits the log to a certain size in KB. 


0 


Example 


Lets the log grow to an unlimited size. 


This is the default setting. 


log.main.max file size = 0 


log.main.type 


Purpose 


Specifies the type of main log OWCIMOMD uses. 


Syntax 

log.main.type = option 

Option Use 

file Sends all messages to a file that is identified in the log.main.location configuration 
setting. 

null Disables logging. 

syslog Sends all messages to the syslog interface. 
This is the default setting for Linux. 

Example 


log.main.type = 


syslog 


Configuring Debug Logging 


If OWCIMOMD is run in debug mode, then the debug log is active with the following settings: 


* log.debug.categories = * 


* log.debug.components = * 


+ log.debug. format 


* log.debug.level 
+ log.debug.type 


= [%t] %m 


= * 


stderr 
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6.6.1 Debug Log with Color 


If you want a color version of the debug log, use the following ASCII escape codes: 


log.debug.format = \x1b[1;37;40m[\x1b[1;31;40m%-.6t\x1b[1;37;40m] \x1b [1;32;40m 
%m\x1b[0;37;40m 


If you want to use additional colors, use the following codes with the log.debug.format command: 


Table 6-2 Additional Color Codes for the log.debug.format Command 


Color Codes 

red \x1b[1;31;40m 
dark red \x1b[0;31;40m 
green \x1b[1;32;40m 
dark green \x1b[0;32;40m 
yellow \x1b[1;33;40m 
dark yellow \x1b[0;33;40m 
blue \x1b[1;34;40m 
dark blue \x1b[0;34;40m 
purple \x1b[1;35;40m 
dark purple \x1b[0;35;40m 
cyan \x1b[1;36;40m 
dark cyan \x1b[0;36;40m 
white \x1b[1;37;40m 
dark white \x1b[0;37;40m 
gray \x1b[0;37;40m 
reset color \x1b[0;37;40m 


6.7 Configuring Additional Logs 


If you want to create additional logs, list the log names under this setting: 
owcimomd.additional_logs = logname 


Separate multiple log names with spaces. 


Syntax 
owcimomd.additional_logs = logname 
For each log, the following settings apply: 


log.log name.categories 
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log. 
log. 
log. 
log. 
log. 


log. 


log_name. 
log_name. 
log_name. 
log_name. 
log_name. 


log_name. 


Example 


components 
format 

level 

location 

max backup index 


max file size 


owcimomd.additional logs = errorlogl errorlog2 errorlog3 
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1.1 


7.2 


Security Considerations 


This section includes issues that you should consider when installing and configuring OpenWBEM 
services on a Novell Open Enterprise Server (OES) 2 Linux server. 


+ Section 7.1, “Secure Access,” on page 35 


+ Section 7.2, “CIM Providers,” on page 35 


Secure Access 


The default setup of OpenWBEM is relatively secure. However, you might want to review the 
following to ensure access to OpenWBEM components is as secure as desired for your organization. 
See “Ensuring Secure Access” on page 16. 


CIM Providers 


The OWCIMOMD process changes the fsuid (file system UID) of the threads as they execute 
provider code. However, these providers run in the same process space as OWCIMOMD, which runs 
as root. The fsuid change is done for convenience of the providers so that they can determine the 
access that a user has to the file system. This fsuid change provides only a minimal level of security. 
For security purposes, the providers should be considered as running as root. 


IMPORTANT: Because CIM providers must run as root they should be monitored for attacks. 


For example, look in syslog files to find odd patterns of behavior or malicious activity. In addition, if 
CIM or its providers do security logging, look at those log files as well. 
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Documentation Updates 


To help you keep current on updates to the documentation, this section contains information on 
content changes that have been made in this OES 2: Open WBEM Services Administration Guide since 
the initial release of Open Enterprise Server 2. 


The documentation was updated on the following dates: 


+ Section A.1, “April 30, 2013,” on page 37 

+ Section A.2, “January 31, 2013,” on page 37 

+ Section A.3, “December 2010 (OES 2 SP3),” on page 38 

+ Section A.4, “November 9, 2009 (OES 2 SP2),” on page 38 
+ Section A.5, “December 2008,” on page 38 


A.1 April 30, 2013 


Updates were made to the following section. The changes are explained below. 


A.1.1 What's New or Changed for Novell Cluster Services 


Location Change 


Section 2.1, “What's New (April 2013 Patches),” on This section is new. 
page 9 


A.2 January 31, 2013 


Updates were made to the following section. The changes are explained below. 


A.2.1 What's New or Changed for Novell Cluster Services 


Location Change 


Section 2.2, “What's New (January 2013 Patches),” on This section is new. 
page 9 


Documentation Updates 


A.3 


A.4 


A.5 


A.5.1 


A.5.2 


December 2010 (OES 2 SP3) 


This guide was updated to conform with Novell documentation standards. Information specific to 
the NetWare 6.5 SP8 operating system was removed. For NetWare openWBEM management 
information, see the NW 6.5 SP8: OpenWBEM Services Administration Guide. 


November 9, 2009 (OES 2 SP2) 


The guide What’s New section was updated for OES 2 SP2. There are no other content changes for 
OES 2 SP2. 


December 2008 


Updates were made to the following sections. The changes are explained below. 


+ Section A.5.1, “Changing the OpenWBEM CIMOM Configuration,” on page 38 
+ Section A.5.2, “What's New for OpenWBEM,” on page 38 
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Location Change 


Section 6.4, “Configuring This section is new. 
CIMOM Daemons to Bind 
to IP Addresses,” on 


page 26 
What’s New for OpenWBEM 
Location Change 


Section 2.5, “OES 2 SP1,” This section is new. 
on page 10 
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